5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/03/2024, 21:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
Size

361KB
MD5

ad9a8ff45ebc40af2cb5d07ed709f57e
SHA1

f3d334c9b70dc1e9ab192f5e37cd198782707ba1
SHA256

5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1
SHA512

c17c77f9cd587547540532465f041a3a65fc15c57237a470a01a5e94b0b2a8ca0acf06bcda8bcf6258e5e8f3c6f58a6b675cb4ceafade7afa2f30683b7ff82c2
SSDEEP

6144:rflfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:rflfAsiVGjSGecvX

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3020	ecwuomgezwrpjhbz.exe
3672	CreateProcess.exe
2024	mjecwuomgw.exe
4052	CreateProcess.exe
2516	CreateProcess.exe
3092	i_mjecwuomgw.exe
2660	CreateProcess.exe
4520	rljdbwtolg.exe
2672	CreateProcess.exe
1600	CreateProcess.exe
3288	i_rljdbwtolg.exe
3952	CreateProcess.exe
2480	jdbvtolgey.exe
3468	CreateProcess.exe
4964	CreateProcess.exe
2656	i_jdbvtolgey.exe
2056	CreateProcess.exe
3744	gaysqkidav.exe
448	CreateProcess.exe
1380	CreateProcess.exe
4008	i_gaysqkidav.exe
5064	CreateProcess.exe
3640	icavsnlfdp.exe
3784	CreateProcess.exe
1528	CreateProcess.exe
2908	i_icavsnlfdp.exe
4788	CreateProcess.exe
2896	ausmkfcxvp.exe
2704	CreateProcess.exe
2400	CreateProcess.exe
3756	i_ausmkfcxvp.exe
2068	CreateProcess.exe
3016	xrpkhcausm.exe
1988	CreateProcess.exe
208	CreateProcess.exe
2668	i_xrpkhcausm.exe
1464	CreateProcess.exe
3880	smkecwupmh.exe
4648	CreateProcess.exe
1972	CreateProcess.exe
2024	i_smkecwupmh.exe
1272	CreateProcess.exe
3960	trmkecwuom.exe
5072	CreateProcess.exe
4956	CreateProcess.exe
2944	i_trmkecwuom.exe
1276	CreateProcess.exe
4488	rmjebwuomg.exe
3456	CreateProcess.exe
1600	CreateProcess.exe
4408	i_rmjebwuomg.exe
3756	CreateProcess.exe
4988	oigbytrljd.exe
2704	CreateProcess.exe
3468	CreateProcess.exe
3512	i_oigbytrljd.exe
1812	CreateProcess.exe
4924	ljdbvtnlgd.exe
5076	CreateProcess.exe
4996	CreateProcess.exe
2008	i_ljdbvtnlgd.exe
4420	CreateProcess.exe
4016	qlidbvtnlf.exe
4136	CreateProcess.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4876	ipconfig.exe
4512	ipconfig.exe
4976	ipconfig.exe
4996	ipconfig.exe
3628	ipconfig.exe
2340	ipconfig.exe
4692	ipconfig.exe
4080	ipconfig.exe
1648	ipconfig.exe
3540	ipconfig.exe
2912	ipconfig.exe
3680	ipconfig.exe
868	ipconfig.exe
4988	ipconfig.exe
2556	ipconfig.exe
1444	ipconfig.exe
3060	ipconfig.exe
2056	ipconfig.exe
3296	ipconfig.exe
740	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1240232911"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1234139286"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31093759"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31093759"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0141c4aff73da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "416959268"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7525EE79-DFF2-11EE-AE4D-EA08C850D01B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000805151ee19e06f4a9c31cfe2ca71daec0000000002000000000010660000000100002000000073917fdd9adf2c72670ab3e65839da467e8b68aed33efe7968726f52a4167888000000000e800000000200002000000018e2b14cd2667f2be0cbb12e9dffaa377661f7b0f2e3642c88b1696fe0ae68df2000000092a1c31aadc48eee8b08d3f2158f6d24ed2f554309f52d1e7320630c4b07ce964000000065edb274c667da4457494a7c24d4db0e9442f1e90c3aebeb5edb6dc75d2ba729b6328d89db31ff5a60de89c47d96ebf8d317166f6e252772a218af26007b85fa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1234139286"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31093759"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f077124aff73da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000805151ee19e06f4a9c31cfe2ca71daec000000000200000000001066000000010000200000009ad9a91f4bea01287ffa413db040f435f02946c0c15dc7ec53e717002842e0fa000000000e8000000002000020000000a14d30c40c11fde9c25ab0bc5b291b562c349b63cb9946b08657f2cbb37d36de20000000947ac6b9e62871cb48a884a776d415fc8b33a1d1a50e6ed159386c9eb5500102400000000841ecd884342488f60a65f358b1842decdbc0f29b6bfb0064beb5e8f884e8b5da9567bcb329d21c90b15e3684f2ec34abcce6e9877b96f118e685c8d38ec120	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
3020	ecwuomgezwrpjhbz.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found
632	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3092	i_mjecwuomgw.exe
Token: SeDebugPrivilege	3288	i_rljdbwtolg.exe
Token: SeDebugPrivilege	2656	i_jdbvtolgey.exe
Token: SeDebugPrivilege	4008	i_gaysqkidav.exe
Token: SeDebugPrivilege	2908	i_icavsnlfdp.exe
Token: SeDebugPrivilege	3756	i_ausmkfcxvp.exe
Token: SeDebugPrivilege	2668	i_xrpkhcausm.exe
Token: SeDebugPrivilege	2024	i_smkecwupmh.exe
Token: SeDebugPrivilege	2944	i_trmkecwuom.exe
Token: SeDebugPrivilege	4408	i_rmjebwuomg.exe
Token: SeDebugPrivilege	3512	i_oigbytrljd.exe
Token: SeDebugPrivilege	2008	i_ljdbvtnlgd.exe
Token: SeDebugPrivilege	4976	i_qlidbvtnlf.exe
Token: SeDebugPrivilege	1316	i_nifaxsqkic.exe
Token: SeDebugPrivilege	1736	i_kicausnkfc.exe
Token: SeDebugPrivilege	4056	i_hfzxrpjhcz.exe
Token: SeDebugPrivilege	3852	i_jhbzurmkec.exe
Token: SeDebugPrivilege	2992	i_ezwrojhbzt.exe
Token: SeDebugPrivilege	4968	i_ywqojgbytr.exe
Token: SeDebugPrivilege	3292	i_ytqlidbvtn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1060	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1060	iexplore.exe
1060	iexplore.exe
4472	IEXPLORE.EXE
4472	IEXPLORE.EXE
4472	IEXPLORE.EXE
4472	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 3020	1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	92
PID 1568 wrote to memory of 3020	1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	92
PID 1568 wrote to memory of 3020	1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	92
PID 1568 wrote to memory of 1060	1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	93
PID 1568 wrote to memory of 1060	1568	5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe	93
PID 1060 wrote to memory of 4472	1060	iexplore.exe	94
PID 1060 wrote to memory of 4472	1060	iexplore.exe	94
PID 1060 wrote to memory of 4472	1060	iexplore.exe	94
PID 3020 wrote to memory of 3672	3020	ecwuomgezwrpjhbz.exe	95
PID 3020 wrote to memory of 3672	3020	ecwuomgezwrpjhbz.exe	95
PID 3020 wrote to memory of 3672	3020	ecwuomgezwrpjhbz.exe	95
PID 2024 wrote to memory of 4052	2024	mjecwuomgw.exe	98
PID 2024 wrote to memory of 4052	2024	mjecwuomgw.exe	98
PID 2024 wrote to memory of 4052	2024	mjecwuomgw.exe	98
PID 3020 wrote to memory of 2516	3020	ecwuomgezwrpjhbz.exe	105
PID 3020 wrote to memory of 2516	3020	ecwuomgezwrpjhbz.exe	105
PID 3020 wrote to memory of 2516	3020	ecwuomgezwrpjhbz.exe	105
PID 3020 wrote to memory of 2660	3020	ecwuomgezwrpjhbz.exe	110
PID 3020 wrote to memory of 2660	3020	ecwuomgezwrpjhbz.exe	110
PID 3020 wrote to memory of 2660	3020	ecwuomgezwrpjhbz.exe	110
PID 4520 wrote to memory of 2672	4520	rljdbwtolg.exe	112
PID 4520 wrote to memory of 2672	4520	rljdbwtolg.exe	112
PID 4520 wrote to memory of 2672	4520	rljdbwtolg.exe	112
PID 3020 wrote to memory of 1600	3020	ecwuomgezwrpjhbz.exe	115
PID 3020 wrote to memory of 1600	3020	ecwuomgezwrpjhbz.exe	115
PID 3020 wrote to memory of 1600	3020	ecwuomgezwrpjhbz.exe	115
PID 3020 wrote to memory of 3952	3020	ecwuomgezwrpjhbz.exe	117
PID 3020 wrote to memory of 3952	3020	ecwuomgezwrpjhbz.exe	117
PID 3020 wrote to memory of 3952	3020	ecwuomgezwrpjhbz.exe	117
PID 2480 wrote to memory of 3468	2480	jdbvtolgey.exe	119
PID 2480 wrote to memory of 3468	2480	jdbvtolgey.exe	119
PID 2480 wrote to memory of 3468	2480	jdbvtolgey.exe	119
PID 3020 wrote to memory of 4964	3020	ecwuomgezwrpjhbz.exe	122
PID 3020 wrote to memory of 4964	3020	ecwuomgezwrpjhbz.exe	122
PID 3020 wrote to memory of 4964	3020	ecwuomgezwrpjhbz.exe	122
PID 3020 wrote to memory of 2056	3020	ecwuomgezwrpjhbz.exe	124
PID 3020 wrote to memory of 2056	3020	ecwuomgezwrpjhbz.exe	124
PID 3020 wrote to memory of 2056	3020	ecwuomgezwrpjhbz.exe	124
PID 3744 wrote to memory of 448	3744	gaysqkidav.exe	126
PID 3744 wrote to memory of 448	3744	gaysqkidav.exe	126
PID 3744 wrote to memory of 448	3744	gaysqkidav.exe	126
PID 3020 wrote to memory of 1380	3020	ecwuomgezwrpjhbz.exe	130
PID 3020 wrote to memory of 1380	3020	ecwuomgezwrpjhbz.exe	130
PID 3020 wrote to memory of 1380	3020	ecwuomgezwrpjhbz.exe	130
PID 3020 wrote to memory of 5064	3020	ecwuomgezwrpjhbz.exe	132
PID 3020 wrote to memory of 5064	3020	ecwuomgezwrpjhbz.exe	132
PID 3020 wrote to memory of 5064	3020	ecwuomgezwrpjhbz.exe	132
PID 3640 wrote to memory of 3784	3640	icavsnlfdp.exe	134
PID 3640 wrote to memory of 3784	3640	icavsnlfdp.exe	134
PID 3640 wrote to memory of 3784	3640	icavsnlfdp.exe	134
PID 3020 wrote to memory of 1528	3020	ecwuomgezwrpjhbz.exe	137
PID 3020 wrote to memory of 1528	3020	ecwuomgezwrpjhbz.exe	137
PID 3020 wrote to memory of 1528	3020	ecwuomgezwrpjhbz.exe	137
PID 3020 wrote to memory of 4788	3020	ecwuomgezwrpjhbz.exe	140
PID 3020 wrote to memory of 4788	3020	ecwuomgezwrpjhbz.exe	140
PID 3020 wrote to memory of 4788	3020	ecwuomgezwrpjhbz.exe	140
PID 2896 wrote to memory of 2704	2896	ausmkfcxvp.exe	142
PID 2896 wrote to memory of 2704	2896	ausmkfcxvp.exe	142
PID 2896 wrote to memory of 2704	2896	ausmkfcxvp.exe	142
PID 3020 wrote to memory of 2400	3020	ecwuomgezwrpjhbz.exe	145
PID 3020 wrote to memory of 2400	3020	ecwuomgezwrpjhbz.exe	145
PID 3020 wrote to memory of 2400	3020	ecwuomgezwrpjhbz.exe	145
PID 3020 wrote to memory of 2068	3020	ecwuomgezwrpjhbz.exe	150
PID 3020 wrote to memory of 2068	3020	ecwuomgezwrpjhbz.exe	150

C:\Users\Admin\AppData\Local\Temp\5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe
"C:\Users\Admin\AppData\Local\Temp\5bf0a2b6b059c419eb32832a4cdf7eb438d9521520471d1065962e7902e3d7e1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Temp\ecwuomgezwrpjhbz.exe
  C:\Temp\ecwuomgezwrpjhbz.exe run
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mjecwuomgw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3672
  - - C:\Temp\mjecwuomgw.exe
      C:\Temp\mjecwuomgw.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4052
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:868
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mjecwuomgw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2516
  - - C:\Temp\i_mjecwuomgw.exe
      C:\Temp\i_mjecwuomgw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3092
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rljdbwtolg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2660
  - - C:\Temp\rljdbwtolg.exe
      C:\Temp\rljdbwtolg.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4520
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2672
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4988
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rljdbwtolg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1600
  - - C:\Temp\i_rljdbwtolg.exe
      C:\Temp\i_rljdbwtolg.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3288
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jdbvtolgey.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3952
  - - C:\Temp\jdbvtolgey.exe
      C:\Temp\jdbvtolgey.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2480
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3468
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1444
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jdbvtolgey.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4964
  - - C:\Temp\i_jdbvtolgey.exe
      C:\Temp\i_jdbvtolgey.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2656
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\gaysqkidav.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2056
  - - C:\Temp\gaysqkidav.exe
      C:\Temp\gaysqkidav.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3744
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:448
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3060
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_gaysqkidav.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1380
  - - C:\Temp\i_gaysqkidav.exe
      C:\Temp\i_gaysqkidav.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4008
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icavsnlfdp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:5064
  - - C:\Temp\icavsnlfdp.exe
      C:\Temp\icavsnlfdp.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3784
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4512
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icavsnlfdp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1528
  - - C:\Temp\i_icavsnlfdp.exe
      C:\Temp\i_icavsnlfdp.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2908
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ausmkfcxvp.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4788
  - - C:\Temp\ausmkfcxvp.exe
      C:\Temp\ausmkfcxvp.exe ups_run
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2704
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4080
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ausmkfcxvp.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2400
  - - C:\Temp\i_ausmkfcxvp.exe
      C:\Temp\i_ausmkfcxvp.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3756
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpkhcausm.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2068
  - - C:\Temp\xrpkhcausm.exe
      C:\Temp\xrpkhcausm.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3016
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1988
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1648
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpkhcausm.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:208
  - - C:\Temp\i_xrpkhcausm.exe
      C:\Temp\i_xrpkhcausm.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\smkecwupmh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1464
  - - C:\Temp\smkecwupmh.exe
      C:\Temp\smkecwupmh.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3880
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4648
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4976
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_smkecwupmh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1972
  - - C:\Temp\i_smkecwupmh.exe
      C:\Temp\i_smkecwupmh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2024
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\trmkecwuom.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1272
  - - C:\Temp\trmkecwuom.exe
      C:\Temp\trmkecwuom.exe ups_run
      4⤵
      Executes dropped EXE
      PID:3960
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5072
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_trmkecwuom.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4956
  - - C:\Temp\i_trmkecwuom.exe
      C:\Temp\i_trmkecwuom.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2944
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rmjebwuomg.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1276
  - - C:\Temp\rmjebwuomg.exe
      C:\Temp\rmjebwuomg.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4488
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:3456
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4996
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rmjebwuomg.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1600
  - - C:\Temp\i_rmjebwuomg.exe
      C:\Temp\i_rmjebwuomg.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4408
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\oigbytrljd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:3756
  - - C:\Temp\oigbytrljd.exe
      C:\Temp\oigbytrljd.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4988
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2704
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3296
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_oigbytrljd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:3468
  - - C:\Temp\i_oigbytrljd.exe
      C:\Temp\i_oigbytrljd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3512
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ljdbvtnlgd.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1812
  - - C:\Temp\ljdbvtnlgd.exe
      C:\Temp\ljdbvtnlgd.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4924
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:5076
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3628
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ljdbvtnlgd.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:4996
  - - C:\Temp\i_ljdbvtnlgd.exe
      C:\Temp\i_ljdbvtnlgd.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2008
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\qlidbvtnlf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:4420
  - - C:\Temp\qlidbvtnlf.exe
      C:\Temp\qlidbvtnlf.exe ups_run
      4⤵
      Executes dropped EXE
      PID:4016
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:4136
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:740
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_qlidbvtnlf.exe ups_ins
    3⤵
    PID:1880
  - - C:\Temp\i_qlidbvtnlf.exe
      C:\Temp\i_qlidbvtnlf.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4976
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\nifaxsqkic.exe ups_run
    3⤵
    PID:1500
  - - C:\Temp\nifaxsqkic.exe
      C:\Temp\nifaxsqkic.exe ups_run
      4⤵
      PID:1076
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1776
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2340
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_nifaxsqkic.exe ups_ins
    3⤵
    PID:2024
  - - C:\Temp\i_nifaxsqkic.exe
      C:\Temp\i_nifaxsqkic.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1316
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\kicausnkfc.exe ups_run
    3⤵
    PID:4988
  - - C:\Temp\kicausnkfc.exe
      C:\Temp\kicausnkfc.exe ups_run
      4⤵
      PID:3756
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4548
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4692
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_kicausnkfc.exe ups_ins
    3⤵
    PID:3292
  - - C:\Temp\i_kicausnkfc.exe
      C:\Temp\i_kicausnkfc.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1736
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\hfzxrpjhcz.exe ups_run
    3⤵
    PID:1212
  - - C:\Temp\hfzxrpjhcz.exe
      C:\Temp\hfzxrpjhcz.exe ups_run
      4⤵
      PID:4792
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4912
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3540
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_hfzxrpjhcz.exe ups_ins
    3⤵
    PID:748
  - - C:\Temp\i_hfzxrpjhcz.exe
      C:\Temp\i_hfzxrpjhcz.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4056
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhbzurmkec.exe ups_run
    3⤵
    PID:2308
  - - C:\Temp\jhbzurmkec.exe
      C:\Temp\jhbzurmkec.exe ups_run
      4⤵
      PID:1268
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3492
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2912
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhbzurmkec.exe ups_ins
    3⤵
    PID:4812
  - - C:\Temp\i_jhbzurmkec.exe
      C:\Temp\i_jhbzurmkec.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3852
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ezwrojhbzt.exe ups_run
    3⤵
    PID:836
  - - C:\Temp\ezwrojhbzt.exe
      C:\Temp\ezwrojhbzt.exe ups_run
      4⤵
      PID:2244
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:3696
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3680
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ezwrojhbzt.exe ups_ins
    3⤵
    PID:4652
  - - C:\Temp\i_ezwrojhbzt.exe
      C:\Temp\i_ezwrojhbzt.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2992
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ywqojgbytr.exe ups_run
    3⤵
    PID:4192
  - - C:\Temp\ywqojgbytr.exe
      C:\Temp\ywqojgbytr.exe ups_run
      4⤵
      PID:2972
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1348
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2556
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ywqojgbytr.exe ups_ins
    3⤵
    PID:4124
  - - C:\Temp\i_ywqojgbytr.exe
      C:\Temp\i_ywqojgbytr.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ytqlidbvtn.exe ups_run
    3⤵
    PID:4136
  - - C:\Temp\ytqlidbvtn.exe
      C:\Temp\ytqlidbvtn.exe ups_run
      4⤵
      PID:2116
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:4420
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:4876
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ytqlidbvtn.exe ups_ins
    3⤵
    PID:1172
  - - C:\Temp\i_ytqlidbvtn.exe
      C:\Temp\i_ytqlidbvtn.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3292
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1060 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\CreateProcess.exe

Filesize
3KB

MD5
2301f8749b89eed43ae2f9f0863e88c9

SHA1
5f7085885e2fe4572d55e88f151c789d030b5e58

SHA256
3636f8e52cd5542e639bfcb15a4137570c72c66eb6d9998ab1b16ca3247134e6

SHA512
4c83512f28a72ad807366b5183006337d4f7a2de832d700e650a2755aae7dd16dd857153c7f3af84b5e985f8bdff816a9ea6bb6db931c3f873cdce9de89a704b

Download Submit
C:\Temp\ausmkfcxvp.exe

Filesize
361KB

MD5
6a703c721ac7de101eb77a876edfc4e9

SHA1
608a76f96796f18f06f84f61abc80ddb035b86f3

SHA256
1593a4e1efdd22f79b55544ae87477603b144a64ac710382c067e58f34cf48b3

SHA512
829c0dc66b25ffc53303c4dfc4f396491cdb987582bd7df6e534f2181eb1cd23c9dd39390f2068896d6ee2e9e507a5c2d001fa69025d53a3d73fcae8b72f00a2

Download Submit
C:\Temp\ecwuomgezwrpjhbz.exe

Filesize
361KB

MD5
96c3d40457b45da1a5b2bcd862ccf1b0

SHA1
19e21b79ea4e859c1e4b4598fa1f166b4ff1b41f

SHA256
0fd8c59e8a90b4c1cddc06dfa7b5500f3bded1fbe2c97793d176a954ac459ad9

SHA512
be3e3a1b1d1f0a06c90b48c0f1244827edc43fdbfbd05425686edb65a8fe0e27057b8b0c0d07e81e3da4dc12360965b6b8d5f31d3ab234c91015f725a381bf87

Download Submit
C:\Temp\gaysqkidav.exe

Filesize
361KB

MD5
8b680e9cbd9349fec3afaebf54abb415

SHA1
2aca70797043aa3c24188767b4bb206a9d11ab81

SHA256
03fd2abb20ebfd8fa2b06e9e3ea792ac7cc0e23556fa2daafc82ca38e088ccf8

SHA512
4a192c4d666afa5f0c0f4df69baa884040abbfd49c530dfea70f343ee539aa7f5aed329c0f1a33aa03a158de467fa7d495da5873bd800dcbf5745cea46126fd3

Download Submit
C:\Temp\i_ausmkfcxvp.exe

Filesize
361KB

MD5
5289e871e6263fc2116aeaedcc508d98

SHA1
7fbdd71d247bcf23e72ac8f483fa67a9075c5d09

SHA256
b2f9d85e4dab97c2796362488fd2bb5ffe8e47a9992b760084eaf93681a7d27e

SHA512
8be2195f7e1027d5288513da62fffbec31fdd510ba0e4c0d6267a79e8d0513a5e8509f78e17a3b92c0292d7e912b58506359f24580a87b4d397bea4ccd8c4194

Download Submit
C:\Temp\i_gaysqkidav.exe

Filesize
361KB

MD5
c38dfa89d72b26951f20056cb89f7f95

SHA1
458ebbbf28d59f8ba80cabb6e0f15ca02ea0d2e2

SHA256
41fa430df8e7cd92c529e1eccc3f79eb292d5e4594cfde056d7d1eb1540a3c9d

SHA512
8a8e7834f4ab98a201e0aaea0ee4e6bc12725901bd4b6ee2cea27c383b6debdc3a7e1f7cf19f8d059d1c90a4f12786d77e2e05a95c537c798ecd619039dfb643

Download Submit
C:\Temp\i_icavsnlfdp.exe

Filesize
361KB

MD5
9f5c37abf41f0debff61397c3a33017a

SHA1
f03220c9ed0fe29e4ed0295be714e2dafff5f692

SHA256
1efc6f8c72f13ff0f8ab7488a1bb79aea08fb5307a340ede81e1ccf3da90a32f

SHA512
bf2932e4c5f7b233a32d0a7304da2ef97abd39c72eac416f6c01957b3148add03d2d5abfc977b30eca11e42ff9e80f43231a99c25a94227e8f65d28a6de414b2

Download Submit
C:\Temp\i_jdbvtolgey.exe

Filesize
361KB

MD5
162bbf7050854c433caa584e5b078edf

SHA1
704d1a39a8e4f8f8f97b9b8825f21a4544524197

SHA256
e553543d15b45c602db0720a108bf4a899e847710c4ea935a50b9d5cbff13b65

SHA512
ced751995ebc62201e9451948e33a498157885ce2ea21298ba4412e764410132bd81eb9f485c011b47859a8d994e5aecd741a776c120c512a9a5181f9d195638

Download Submit
C:\Temp\i_mjecwuomgw.exe

Filesize
361KB

MD5
c9cb6d12872ca9f607c72089b319ad36

SHA1
d5b1b80d8a3a7f0cf0355c07aec4b6995020f62c

SHA256
a71c8dd9041b2ce9c21dfb40055f47f1db87d3ffa09baf7be56919611ffb195c

SHA512
5d9cd4e2786ca431647ba976f06f94667ed88b68e3ab0c01791978e24e8c5c23a611655805c00ed83a895ecd6a0a53395bc6ae89ce25e061c131796269f2870f

Download Submit
C:\Temp\i_rljdbwtolg.exe

Filesize
361KB

MD5
37551176e463ecc3b022713fe39829f1

SHA1
a4ef6c0a6b4558998f2dccd9eea51652361852d3

SHA256
e8fc7b924f9732105cb151b76884a6ee92d64c6629d3f1fe81801e9520a15110

SHA512
5cfd43f1bd360bf987dd55079a5ef5e379f34fa31c54b25719fb0dbc84a62b1bec4425c329a84a5cbd7d17cc95b04ed048c391bca8a6c2949d154fc8b941462c

Download Submit
C:\Temp\i_smkecwupmh.exe

Filesize
361KB

MD5
d5a33ae02fb4ab59bbbfec89c66767b5

SHA1
7343b078fa85e4ef6525652c2836b963c44d7c79

SHA256
e60b0d7678cc93164f12e635475fb1e810b5377afe32c707573ea68a2ebd94c3

SHA512
917298a4df4338b33175c7dd6cc35cb3cfb0958edba1949d78baf7ef24fd65c8e449619af110d54bc3740f744621ae976ad9e2871c7b40dc8ab5a259f64d0b2b

Download Submit
C:\Temp\i_xrpkhcausm.exe

Filesize
361KB

MD5
01ac1d7a8d26fdacc6772805dd6f9848

SHA1
1ca91b902dc1adf5ca59b2aa442f4f76b376e6f5

SHA256
7fb7dbc4285525ba83622c0d956344f205a8822eae39e6bec03c1505ebcd0b77

SHA512
5536bcfaeda0d55e60d6df49143e81fbe9a4b1a3294260b7cdf3e76c86d4463adc5969607d9aa19524b4dbdeb414a6445cc419fe730e3ba32a2318e494bfe034

Download Submit
C:\Temp\icavsnlfdp.exe

Filesize
361KB

MD5
f66b717562b5849fa76c2ffc0ba9a4f5

SHA1
8d4ec9f829e9963303cf8c564218804ceac0519f

SHA256
fcbc853908161e1d4555de63d33914aeeb7e1d04a6a5d298adb91cda52015ac2

SHA512
0edafea06f9f4999bb5901cfdf0a3609510c746a9220a28669c1071027e22e1298fa72daf0a6d9fe7e00d444fa6278b7c3659b5219aea1c2f209c6ebb13686f2

Download Submit
C:\Temp\jdbvtolgey.exe

Filesize
361KB

MD5
07d80ad76d2ceb99e2d52fa8fd14b113

SHA1
91f7b085ad266f3b36cde699df0270a4d645b3c8

SHA256
470d4e9b218ee7c0d7e68cb4db662f926008815413eab06d03c3c03727f77be4

SHA512
bf6035eeeb276e1e8010587df9d02e83e36d8ca1280bf0f1e20e621d75d346b6e7da073c76aaeb39b4433b51b739a1d0d3d802f54a67b1329f46a2edf74736eb

Download Submit
C:\Temp\mjecwuomgw.exe

Filesize
361KB

MD5
bc610e45a96597a7307277f6b4198e05

SHA1
bb398e8eb840d28a0ed7ccd37358214c2e90c3f1

SHA256
23fe2ba9cc12a0a974dc45e492a68f8fb30325ba9f0dce9d7b281f72b4ab75f8

SHA512
e1a3ec063599bca310681c2c9d1f4ce2be0ae9e6d7741a5f29226893e0145db446cf9aef4204123a1eef75ef45da97bb96b7ce51a64e3501de8f7c2bda5b3deb

Download Submit
C:\Temp\rljdbwtolg.exe

Filesize
361KB

MD5
adf972ac367c0f8afa0fa6afc5041477

SHA1
269d97237efa1c0178fd188dcadeedc6188f8b3c

SHA256
a6b4d13335340604ba79e1b4daee343ccd9c14018367cf50b0f6d84dd41258e1

SHA512
276867e2944c4e770d6fb6716e9c32ecd5d4f4deb4f68e678337e312b2bbfb0e6860498bf4016c7f76f7ce6665bc9968480d339ffc812a95dfd0449761b71112

Download Submit
C:\Temp\smkecwupmh.exe

Filesize
361KB

MD5
c6ca59b1ba303432aff0d59e2be34482

SHA1
f59c9c50ad6863c51aaf67a64bb359b1e13cc16c

SHA256
05df2d0e5fce1a71503c7280593702aef82df23d78fbbe333dd85d3254aaef11

SHA512
06eeebbd72a8625fdf01f3c0d8aab48b45d787b70c34742c09af98eaf6f979866a07246196e311a3023a407a581c0cd3c27c1eaa1ee7407d466031ba54d316b3

Download Submit
C:\Temp\trmkecwuom.exe

Filesize
361KB

MD5
48adb878cd94afa5b3c7f5cd9828ed7f

SHA1
76a709e91a857df2f59ed0069845ed50bd969dcb

SHA256
0b1aa43d9d75d6088f7fd131d94f53e7a66f28229009be69c3e7f105056ed47e

SHA512
59d549794a16539252f8be78470be809efbd4f0e7361dd002105b354ad4659f6c4edbf0486b92a0b40db13836f8eaf8850ab682a2bb449dc409528e754c7f3ce

Download Submit
C:\Temp\xrpkhcausm.exe

Filesize
361KB

MD5
1ccd18a63f278fb96f66d2310b418ad8

SHA1
4fd83eacb0b05c6855099904d7321102fc1b07be

SHA256
c585bf2bae1c6b03b79f6aebd66051e445189d615ce0a39de426015ea38bb4ee

SHA512
e7a07f03ab3160e034d6ccfefb5f77c435cea7a6fdd9189222e8d209833a206225dada272f71eba8b99b9ced2d181010410eafd329f78e6a62c8baf72bf66524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Y4F2DR2Q\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit